In a recent disclosure, the Securities and Exchange Commission (SEC) revealed that multi-factor authentication (MFA) on its X account was disabled, leading to a false post about the approval of spot Bitcoin exchange-traded funds. The incident took place on Tuesday, January 9, 2024, when the SEC’s @SECGov X account was compromised. Unauthorized posts regarding the approval of spot Bitcoin exchange-traded funds surfaced, causing concerns within the industry.
According to a statement by an SEC spokesperson, it was determined that the unauthorized access to the account occurred through a “SIM swap” attack. This attack involves transferring a person’s phone number to another device without authorization. Although the SEC confirmed that the telecom carrier was responsible for the access to the phone number, the motivation and exact method behind the attack remain under investigation.
It is alarming to discover that multi-factor authentication had been disabled on the @SECGov X account in July 2023 at the staff’s request due to difficulties accessing the account. The disabling remained in effect until the account was compromised, highlighting a significant oversight in security measures. It must be noted that MFA is now enabled for all SEC social media accounts that offer it.
Due to the disabled MFA, the unauthorized party was able to post on the compromised account and falsely announce the Commission’s approval of spot Bitcoin exchange-traded funds. Furthermore, they liked two posts by non-SEC accounts, causing further confusion and potential market disruption. The SEC asserts that, based on current information, there is no evidence that the unauthorized party gained access to its systems, data, devices, or other social media accounts.
Recognizing concerns about the security of its social media accounts, the SEC reaffirms its commitment to cybersecurity obligations. The agency emphasizes that it does not utilize social media channels to announce its actions, and any posts on these platforms merely amplify official announcements on its website. However, this incident serves as a stark reminder of the need for enhanced security measures and the constant vigilance required to defend against unauthorized access.
As the investigations continue, the SEC is diligently assessing the impacts of this incident on the agency, investors, and the marketplace. The team is actively collaborating with law enforcement and federal oversight entities to understand the full extent of the attack and take appropriate action. Updates will be provided to keep the public informed, and any necessary remedial measures will be implemented to address concerns about the security of the SEC’s social media accounts.
The SEC’s disclosure of the disablement of multi-factor authentication on its X account raises serious questions about the agency’s security protocols. The incident serves as a reminder of the importance of implementing robust security measures and regularly reassessing their effectiveness. The SEC must ensure that all its social media accounts are adequately protected to prevent unauthorized access and false announcements that can have significant consequences for the market and investors. Moving forward, it is crucial for the SEC and other organizations to prioritize cybersecurity and remain adaptable to emerging threats in the digital landscape.